HTB23175: Remote Code Execution in Microweber

High-Tech Bridge Security Research Lab discovered vulnerability in Microweber, which can be exploited to delete arbitrary files and compromise vulnerable system as a consequence.

Improper Access Control in Microweber: CVE-2013-5984 vulnerability exists due to improper access restriction to "/userfiles/modules/admin/backup/delete.php" script and insufficient validation of user-supplied input passed via "file" HTTP GET parameter.

A remote unauthenticated attacker can delete arbitrary files on the target system with privileges of the web server using directory traversal sequences and NULL byte.

The exploitation example below deletes the application's configuration file "config.php":
http://[host]/userfiles/modules/admin/backup/delete.php?file=../../../../../config.php

After deletion of the "config.php" file the application will suggest to re-install it from scratch when accessing "/index.php" file. Further exploitation of this vulnerability allows the attacker to reinstall the application and get full administrative access to it.

After successful re-installation the attacker can use "Admin Console" module of the application to execute arbitrary PHP code on the target system.

Simple exploit below displays output of "phpinfo()" PHP function after successful re-installation of application:
POST /module/ HTTP/1.1 module=admin%2Fconsole%2Fterm&data-type=admin%2Fconsole%2Fterm&id=mw_exec_term_command&c lass=+module++&exec_command=cGhwaW5mbw==&exec_command_params=MQ%3D%3D

Solution: Update to Microweber version 0.830

Source: High-Tech Bridge security advisory HTB23175.

HTB23174: Cross-Site Scripting (XSS) in Feng Office

Feng Office version 2.3.2-rc is vulnerable to perform cross-site-scripting attacks against users of vulnerable application.

The vulnerability exists due to insufficient sanitisation of user-supplied data in "ref_[any]" HTTP GET parameter passed to "/index.php" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

Exploitation example and additional details are available on advisory page.

HTB23171: Gnew 2013.1 multiple vulnerabilities

Gnew version 2013.1 and probably prior suffers from PHP file inclusion and SQL injection vulnerabilities, which can be exploited to execute arbitrary PHP code and pefrom SQL injection attacks against vulnerable application.

PHP File Inclusion vulnerability in Gnew exists due to insufficient validation of user-supplied input passed via the "gnew_language" cookie to "users/login.php" script before using it in "include()" function. A remote attacker can include and execute arbitrary local files on a vulnerable system via directory traversal sequence and URL-encoded NULL byte.

SQL Injection vulnerabilities in Gnew exists due to insufficient filtration of "friend_email" to "news/send.php", "user_email" to "users/register.php", "answer_id" to "/polls/vote.php", "question_id" to "/polls/vote.php", "story_id" to "/comments/add.php", "story_id" to "/comments/edit.php", "thread_id" to "/posts/add.php", "thread_id" to "/posts/edit.php" POST parameters.

As a solution it is suggested to apply an unofficial patch, developed by High-Tech Bridge Security Research Lab and is available here: https://www.htbridge.com/advisory/HTB23171-patch.zip

Full advisory and additional details available here.

HTB23173: GLPI remote code execution

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in GLPI version 0.84.1, which can be exploited to bypass security restrictions and execute arbitrary PHP code with privileges of web server.

Improper access control vulnerability in GLPI exists due to insufficient access restrictions to the installation script "install/install.php", which is present by default after application installation. A remote attacker can change application’s configuration, such as database host, forcing the application to connect to an external database and spoof information on the website, obtain access to sensitive information or simply cause a denial of service.

Arbitrary PHP code injection vulnerability in GLPI exists due to insufficient validation of user-supplied input passed to the "db_host", "db_user", "db_pass", and "databasename" HTTP POST parameters via "install/install.php" script [that is present by default after application installation] before writing data into "config_db.php" file. A remote attacker can inject and execute arbitrary PHP code on the vulnerable system.

Solution: update to GLPI 0.84.2, all details with PoC examples available on security resercher's page.